This release includes 1 breaking change for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+14 more
Affected surfaces
ReleasePort's take
Light signalChevereto 4.5.3 removes FTP/SFTP storage API support in the SaaS context.
Why it matters: Affects any SaaS deployments using FTP or SFTP for storage; migration to alternative APIs is required before this change takes effect.
Summary
AI summaryRemoved FTP/SFTP storage API support in SaaS context.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Added CSRF protection to POST /account/* endpoints Added CSRF protection to POST /account/* endpoints Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Added CSRF protection to POST /album endpoint (password protected albums) Added CSRF protection to POST /album endpoint (password protected albums) Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Added CHEVERETO_ENVIRONMENT default value Added CHEVERETO_ENVIRONMENT default value Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Added Variables support to encrypt-secrets and decrypt-secrets commands Added Variables support to encrypt-secrets and decrypt-secrets commands Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Deprecation | Medium |
Removed support for FTP/SFTP storage APIs in SaaS context Removed support for FTP/SFTP storage APIs in SaaS context Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixed bug affecting PHP page creation/editing Fixed bug affecting PHP page creation/editing Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixed bug breaking TenantsConfig Fixed bug breaking TenantsConfig Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixed bug with missing login-providers.php file in Lite edition Fixed bug with missing login-providers.php file in Lite edition Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixed bug causing missing support for theme library overrides Fixed bug causing missing support for theme library overrides Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Fixed bug with FTP storage API not creating date folder structure Fixed bug with FTP storage API not creating date folder structure Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Fixed missing success message after creating a new user from dashboard Fixed missing success message after creating a new user from dashboard Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
Chevereto 4.5.3 (2026-05-14)
- Added CHEVERETO_ENVIRONMENT default value
- Added CSRF protection to POST /account/* endpoints
- Added CSRF protection to POST /album endpoint (password protected albums)
- Added Variables support to the encrypt-secrets and decrypt-secrets commands
- Fixed bug affecting PHP page creation/editing
- Fixed bug breaking TenantsConfig
- Fixed bug causing missing support for theme library overrides
- Fixed bug with FTP storage API not creating date folder structure
- Fixed bug with missing login-providers.php file in Lite edition
- Fixed missing success message after creating a new user from dashboard
- Removed support for FTP/SFTP storage APIs in SaaS context
Links
Breaking Changes
- Removed support for FTP and SFTP storage APIs in the Chevereto SaaS context.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About chevereto
The mature, battle-tested, high-end, OG self-hosted image and video hosting solution trusted since 2007. Build your own Flickr or Imgur-style media sharing platform with complete control over your content, data, and platform rules.
Related context
Beta — feedback welcome: [email protected]